F5 ASM WAF Config

[nateambringit]

Hi, can you share your F5 Config for this project?

Thank you.

[aknot242]

Hello! This is used for NGINX App Protect, which is in beta right now. I have not used it with F5 ASM.

[464d41]

IMO this is a good enhancement request to make these dashboards to work across all F5's WAF flavors. I'll try to carve some time to accomplish that. Any help appreciated.

[nateambringit]

Thank you for replying me, I actually trying this project for my f5 waf with remote logging.. the issues is when i try to run logstash it say this :

[[main]>worker1] kv - Exception while parsing KV {:exception=>"Invalid FieldReference: `info tmm2[16492]: Rule /Common/myrule : source logreq: /mywebsitepath/"}

and i don't know this is NGINX project sorry but it will be good if work with all F5's WAF too because all i know project ELK for F5 WAF is deprecated so it landing me here.

[aknot242]

Actually, I would recommend F5 Telemetry Streaming for this. You can send your WAF logs directly to ElasticSearch with it. Have you seen it? https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/

I have used it before to send metrics and log events to Elastic Search, but displayed them in Grafana. Here's my repo for that. I was using Ansible to install and configure it in a demo environment: https://github.com/aknot242/ansible-uber-demo

[nateambringit]

Actually, I would recommend F5 Telemetry Streaming for this. You can send your WAF logs directly to ElasticSearch with it. Have you seen it? https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/

I have used it before to send metrics and log events to Elastic Search, but displayed them in Grafana. Here's my repo for that. I was using Ansible to install and configure it in a demo environment: https://github.com/aknot242/ansible-uber-demo

F5 Telemetry Streaming seems new for me, based on link you shared, a requirement to use F5 Telemetry must be using BIG-IP version 13.0 or later but my BIG-IP version i have is 12.x which mean is not supported. Do you have any other advice?

[aknot242]

Do you know who your F5 Sales Team is? I'd suggest you contact your Sales Engineer to see if they have additional suggestions or advice on this. If you cannot upgrade, you'll probably have to go back to updating the LogStash message formatting to try and make it work. I'm not a LogStash expert at all, and I didn't develop this code. I just forked the repository to try it out. Sorry.

[nateambringit]

Do you know who your F5 Sales Team is? I'd suggest you contact your Sales Engineer to see if they have additional suggestions or advice on this. If you cannot upgrade, you'll probably have to go back to updating the LogStash message formatting to try and make it work. I'm not a LogStash expert at all, and I didn't develop this code. I just forked the repository to try it out. Sorry.

Sorry i missed information, my big ip version is 13 which mean is supported, i will checked your project for reference, Thank you

[464d41]

Do you know who your F5 Sales Team is? I'd suggest you contact your Sales Engineer to see if they have additional suggestions or advice on this. If you cannot upgrade, you'll probably have to go back to updating the LogStash message formatting to try and make it work. I'm not a LogStash expert at all, and I didn't develop this code. I just forked the repository to try it out. Sorry.

Sorry i missed information, my big ip version is 13 which mean is supported, i will checked your project for reference, Thank you

Any success on making this to work with AWAF?

[aknot242]

@nateambringit you may be interested in PR #7